Talos Vulnerability Report

TALOS-2017-0451

January 11, 2018

CVE Number

CVE-2017-12099

Summary

An exploitable integer overflow exists in the upgrade of the legacy Mesh attribute tface of the Blender open-source 3d creation suite v2.78c. A specially crafted .blend file can cause an integer overflow resulting in a buffer overflow which can allow for code execution under the context of the application. An attacker can convince a user to open the file or use it as a library in order to trigger this vulnerability.

Tested Versions

Blender v2.78c

Product URLs

CVSSv3 Score

8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Details

Blender is a professional, open-source 3d computer graphics application. It is used for creating animated films, visual effects, art, 3d printed applications, and video games. It is also capable of doing minimalistic video editing and sequencing as needed by the user. There are various features that it provides which allow for a user to perform a multitude of actions as required by a particular project.

During the initial load of a .blend file, a version check of the file is triggered in order to adjust legacy features. Blender has a series of fixes isolated by blocks based off of the version, shown below.

The numbers 250 - 270 correspond to checks pertaining to that particular version block. During the checks for version before 2.5 [0], there are a few fixes for versions before 2.42 [1]. One of which fixes specific CustomData for Mesh objects [2]

Because tface is deprecated, the new mcol and mtface must be created. This is done via the CustomData_add_layer API. Note that me->totface is from the Mesh object created from file data [3]. CustomData_add_layer calls an internal API customData_add_layer__internal to allocate the memory necessary for the new mcol and mtface objects [4].

During the creation of this customData layer, the size of the layer is calculated by multiplying the total elements (me->totface from above) by the size of the structure. By supplying a large enough value, this size variable can be overflown to be a much smaller number than required [5].

This overflown size value is used in the MEM_callocN call [6]. This newly created allocation is then set in the layers.data element [7] and is then returned back to the call of customdata_version_242. This layer is then filled by leveraging old tface data [8].